​​​​The Dangers to Internal Audit of Donning a "Black Hat"​​​​

Comments Views

​As if we don't have a tough enough time clarifying to stakeholders what exactly we bring to the table, I am seeing an increasing number of instances in which internal auditors are being asked to assume responsibilities related to corporate investigations.

In 2012, 71 percent of North American CAEs surveyed indicated that internal audit conducted confidential investigations on behalf of the audit committee alone. Even more internal audit departments conduct investigations on behalf of executive management. In some cases, internal auditors are called upon by the general counsel or CEO to assist with specific investigations, such as investigating allegations of fraud or other misconduct by a member of management or staff. In other instances, the internal audit department has been assigned permanent responsibility for leading such investigations.

While there are certainly benefits to a close working relationship between internal auditors and corporate investigators, there also are big risks to internal audit. When internal auditors are deeply involved in investigations that may result in disciplinary action against executives or other employees, it can be difficult for the internal auditors to be seen later as "trusted advisors" who are "there to help" when they return in their internal audit role.

Cross-functional arrangements are not new. When I was a federal inspector general, I was responsible by law for both the audit and investigative functions within my organization. The two groups were very different, with the investigators actually being federal law enforcement officers. However, because of a shared reporting structure, my audit and investigative roles and those of my staff were inevitably linked in the minds of our stakeholders.

Frequently, I would receive a call from an irate executive exclaiming, "Your auditors are in my department flashing their guns and badges." I would calmly offer assurances that we did not issue weapons or badges to our auditors, and that our investigators were in their department conducting a confidential investigation related to potential fraud or misconduct. The executives would typically calm down, but they never fully differentiated between the roles of our various staff.

Such misunderstandings might get resolved quickly on a case-by-case basis, but an inherent confusion about the role of an internal auditor vs. that of an investigator undoubtedly makes it more difficult for internal auditors to build and sustain the relationships that are so critical to their ultimate success.

It's easy to get typecast as wearing either a "white hat" or a "black hat" — as hero or enforcement villain. When an internal audit department is associated strongly with the type of investigations that result in terminations or even criminal prosecutions, it can be challenging for anyone in internal audit to be regarded as a true partner.

I don't mean to imply that internal auditors should avoid participating in tough assignments, including investigations involving potential misconduct. Internal auditors can provide a unique and invaluable contribution. And, for smaller organizations, it may not be feasible to maintain separate internal audit and investigations teams. But one of the difficulties of taking on a "black hat" role is that changing roles may not be as easy as, well, changing your hat.

If your organization decides that internal audit should routinely perform or assist in investigations, you should take the extra steps to ensure your audit-client relationships are healthy. If staff size is sufficient, the simplest way may be to assign separate teams to internal audits and investigations, and avoid the temptation to use personnel interchangeably. It also is important to ensure that engagement clients clearly understand the scope and nature of the internal auditors' work, including the fact that we must occasionally support or conduct sensitive investigations.

As a profession, we have made extraordinary progress in recent decades to raise our stature. Corporate executives and board members have a much more favorable view of our capabilities today than a decade ago. While leading or supporting corporate investigations is a role that we must necessarily assume from time to time, it does not come without risks to our image and relationships in the organization. As with any risk, we must employ the appropriate mitigation strategies.

I welcome your thoughts on internal auditing's role in supporting or leading corporate investigations.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.​



Comment on this article

comments powered by Disqus
  • IIA AEC_August 2019_Blog 1_CX
  • IIA Quality_August 2019_Blog 2
  • IIA Group Training_August 2019_Blog 3